0

Can HTTPS request be replayed using Fiddler/TamperData, probably due to poor handling of login process? Once I logout of my system (https), I am able to login back using replay. Simon Buchan has already mentioned that HTTPS cannot be replayed. Ref: https://stackoverflow.com/a/2770133/1502619

If replay logs me in, does that mean that my login doesn't handle replay attack or is it that I am not logging out correctly?

Community
  • 1
  • 1
linoox
  • 97
  • 3
  • 10

1 Answers1

2

Simon Buchan notes (correctly) that a client cannot send exactly the same encrypted bytes to the HTTPS server and have it accept them as valid; one of the protections HTTPS provides is protection against that sort of "blind" replay.

What Fiddler & TamperData do isn't the same thing-- these tools start with the the same unencrypted bytes (e.g. your username and password) and establish a new HTTPS connection to the server and then send the HTTPS request to the server again on that new connection.

So, it's a replay of the same HTTPS request, but not a replay of the same raw bytes.

There's no practical way to prevent a tool with access to the unencrypted data (like Fiddler has) from logging into your site using that information.

EricLaw
  • 56,563
  • 7
  • 151
  • 196
  • Thank you very much Eric for the details. Consider this (just to test) - I login to a social website, browse, logout; and then if I replay one of the post authentication pages, the response is not same as before and I can't log back in through replay. Could you please comment on this? [Thanks for the tool] – linoox Jan 04 '14 at 02:32
  • update: I am able to log back in because I may not be invalidating the session correctly. – linoox Jan 06 '14 at 16:33
  • It depends on how the site works. When you log in, most sites accept username:password and give you back a session token. On logout, they *should* expire that token (not accept it anymore) but the site will still accept username:password to give you a new token. So an attacker with unencrypted traffic can still get in even if tokens expiring properly. – EricLaw Jan 06 '14 at 21:35
  • Perfect! I get it now. I think I am not expiring the token in my case. Thanks a lot Eric. – linoox Jan 07 '14 at 18:31